1 2 Previous Next 11 Replies Latest reply on Nov 14, 2013 3:07 PM by ittech

    VPN clients not getting agents

    ittech

      I have an issue where laptops that VPN in only are not getting Agents installed and/or are not updating back to the ePO. This concerns me because we are supposed to be rolling out EEPC soon to these laptops.

       

      I guess the problem is that I don't know exactly where my issue is occuring and why the laptops aren't being installed with ePO agents. Has anyone had a similar experience?

        • 1. Re: VPN clients not getting agents
          Tristan

          You issue is probably down to how VPN clients present thier MAC address to the network/ePO.

           

          To get the agents to install correctly you want a way of setting a permanent and unique MAC to each laptop. That way ePO will correctly indentify the laptop when it connects.

          1 of 1 people found this helpful
          • 2. Re: VPN clients not getting agents
            ittech

            I saw this looking through the old posts. I thought I had searched VPN, but I guess not

             

            Is there a way to do this now that the laptops are already out in the wild?

            • 3. Re: VPN clients not getting agents
              Tristan

              What VPN solution are you using?

              • 4. Re: VPN clients not getting agents
                ittech

                We're currently using the Cisco VPN client, but we'll be switching to a Dell SonicWall soon which will have a different client.

                • 5. Re: VPN clients not getting agents
                  Tristan

                  Not sure about the CISCO vpn client but on the SonicWall (We use a pre-Dell 3060 and v4.6 of the client software)  i know there's a field under the advanced settings of the virtual network adapter where you can define the MAC address.

                  • 6. Re: VPN clients not getting agents
                    ittech

                    Looks like all Cisco VPN's have the same MAC address of 00-05-9A-3C-78-00

                    • 7. Re: VPN clients not getting agents
                      Richard Carpenter

                      Hi all.

                       

                      Most VPN routers also act as firewalls. You would need to open port 445 TCP SMB since the initial agent 'push' is done via an SMB push to the admin$ share of the remote machine.

                       

                      We use CISCO ASA for our VPN also and opening this port worked for us, just be careful of your network ACLs when opening this port, you don't want to open this for all conections in both directions.

                       

                      The ASA's also maintain their own DNS zone with forwarding and the initial push is done by name so you VPN routers will need to update the same DNS internal servers being used by your ePO server to enable the name resolution by the ePO server, alternatively you can also add the DNS servers for your VPN security boundary to the DNS servers list locally on your ePO server OS.

                       

                      If your mobile devices/laptops also don't exist in you internal DNS zone your ePO server will never be able to find them even if they do connect via VPN unless they register internally once the tunnel is established and terminated on your WAN. Agent deployment is done via name resolution.

                       

                      You could also distribute the framepkg file from your ePO server which can be found in the dB/software/current/epo3000 folder inside your ePO installation folder.

                       

                      Once your agents are installed you could also implement either a relay server or agent handler in your DMZ negating the need for your agents to be connected via VPN, this will aid in disconnecting devices in differing security domains/boundaries but maintaining a connection to your internal ePO server.

                      1 of 1 people found this helpful
                      • 8. Re: VPN clients not getting agents
                        ittech

                        1) I'll have to check on port 445 on the ASA.

                         

                        2) I think that the ASA and the ePO share DNS info but I can check on that, too

                         

                        3) I tried installing the FramePkg.exe and the Agent is still not connecting to the ePO server

                         

                        4) I don't think I'll be able to set up an AH

                        • 9. Re: VPN clients not getting agents
                          Richard Carpenter

                          Hi ittech,

                           

                          Reference point 3 above.... The ports for the Agent to communicate with the ePO server will also need to be opened since they are not in the  'well known ' range.

                           

                          Referernece to the McAfee KB on ports required for ePO

                           

                          https://kc.mcafee.com/corporate/index?page=content&id=KB66797

                           

                          We have spent as much time designing or ACL rules as well have spent designing our server infrastructure. Feel free to get in touch if you would like any help identifying what ports need to opened at your boundaries.

                           

                          Regards

                           

                          Rich

                          1 2 Previous Next